Skip to content

Commit

Permalink
Add Garage
Browse files Browse the repository at this point in the history
  • Loading branch information
@ethnt
ethnt committed Nov 7, 2024
1 parent 6dea1b7 commit fe3dda9
Show file tree
Hide file tree
Showing 6 changed files with 236 additions and 9 deletions.
63 changes: 58 additions & 5 deletions hosts/gateway/profiles/nginx/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,18 @@
{ config, profiles, hosts, ... }: {
imports = [ profiles.web-servers.nginx ];

sops.secrets.nginx_fileflows_basic_auth_file = {
sopsFile = ./secrets.yml;
format = "yaml";
owner = config.services.nginx.user;
inherit (config.services.nginx) group;
sops.secrets = {
nginx_fileflows_basic_auth_file = {
sopsFile = ./secrets.yml;
format = "yaml";
owner = config.services.nginx.user;
inherit (config.services.nginx) group;
};

lego_route53_credentials = {
sopsFile = ./secrets.yml;
format = "yaml";
};
};

services.nginx.virtualHosts = let
Expand Down Expand Up @@ -129,6 +136,32 @@
'';
};

"web.garage.e10.camp" = {
forceSSL = true;
useACMEHost = "web.garage.e10.camp";
serverAliases = [ "*.web.garage.e10.camp" ];

locations."/" = {
proxyPass =
"http://${hosts.omnibus.config.networking.hostName}:${toString 3900}";
};
};

"s3.garage.e10.camp" = {
forceSSL = true;
useACMEHost = "s3.garage.e10.camp";
serverAliases = [ "*.s3.garage.e10.camp" ];

locations."/" = {
proxyPass =
"http://${hosts.omnibus.config.networking.hostName}:${toString 3900}";
extraConfig = ''
proxy_max_temp_file_size 0;
client_max_body_size 5G;
'';
};
};

"netbox.e10.camp" = mkVirtualHost {
host = hosts.matrix;
port = 8002;
Expand Down Expand Up @@ -190,4 +223,24 @@
'';
};
};

security.acme.certs = {
"s3.garage.e10.camp" = {
domain = "s3.garage.e10.camp";
extraDomainNames = [ "*.s3.garage.e10.camp" ];
dnsProvider = "route53";
credentialsFile = config.sops.secrets.lego_route53_credentials.path;

group = "nginx";
};

"web.garage.e10.camp" = {
domain = "web.garage.e10.camp";
extraDomainNames = [ "*.web.garage.e10.camp" ];
dnsProvider = "route53";
credentialsFile = config.sops.secrets.lego_route53_credentials.path;

group = "nginx";
};
};
}
7 changes: 4 additions & 3 deletions hosts/gateway/profiles/nginx/secrets.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
nginx_fileflows_basic_auth_file: ENC[AES256_GCM,data:LT/LcmGGFgeisYcmqt067QbsHMy/cicBajp/sU5BcD4Wk2nuSQmUPw3Eoxs=,iv:ODoWmYda+HMRnBD+UiE7QuK7/xWRIMZpKsJfgLAiJrs=,tag:lOnfCoGvocDyGouRZGAmug==,type:str]
lego_route53_credentials: ENC[AES256_GCM,data:gezuGnKLlv1BS5ZR55ZsPlH5wdQlQ6863WTtMBFiMnzu9no7xVV9Ahbb+l9m+1y2RAwBanDS2xYqrO2ycPxYmwGYScQnImjvpqH+4K2DGukbIvI5vQP1p+UixDaRrg9m9XXHt/SMbQ0lka7g1+T9ICzIMqjq6/TQRR+DGgzM4v9c2kWBnpznRV14iBPhj5m2dojnLpovggIR7Y+8ny6rRZh8fFzagw==,iv:jBeCGnN1jZ8X1NkmCQDvRIcqCy+b/q0mUxFsNUwRLRw=,tag:UNYWt6BRUcvkpY14Na+YSg==,type:str]
sops:
kms: []
gcp_kms: []
Expand Down Expand Up @@ -95,8 +96,8 @@ sops:
aC9pSGpoSWJrcG5iRGdPZEhhYXF5Q1EKKkPBACESizSI/C0zuF3USsEEDNQpvT93
/ue2bjvAiS84Fzqu6RFITFtW0DsKz2tO344s09nxDEPWWAyh17nxiw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-23T14:32:12Z"
mac: ENC[AES256_GCM,data:C4AQMPeF3dzVEfT2beFFHoYZNLdLsocX8jhvm5obFms5eA5Kw37m07s25IO5ZRD/OaueOTiKSNKRQaIyvemlkssRbnLdHqfI5fmkDaF4Ht9G5i2AgiAiPu/tXLfjmJCMhUyEnf9xeVxFgKmQ49ZSGRubBdQYCoPQOCJlibPYgL0=,iv:dA4xW8wywFX0bMJ0LMdhfczVs8DTCXkh6LaTXdFX7bs=,tag:CQyxTvQVYL7K1BbuEG1UTQ==,type:str]
lastmodified: "2024-11-07T04:39:50Z"
mac: ENC[AES256_GCM,data:DTudp4Fa1GVYKlqmSusxe4CoGV+A7Ar7wju8kfjA31QXxi1GBBiTuVa0Tn3PQQP+WYwEkQ7TLsB02EOhRCsvkh5VghDiK+Asxn3WQAzrRQaVpsm4nzz7kl7hjhvGDk7yRsuGIdwKBVxBAPiHvRuSB1lCbe2e8bXUjQj2GPq3UFE=,iv:hebxSo+t4i7unn+Jt7ryqRnp+gFKFmmwoJbeWPN2hmk=,tag:pSqz+v3PYu7ZCol4GOHCFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.1
6 changes: 5 additions & 1 deletion hosts/monitor/profiles/prometheus.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -469,6 +469,10 @@
}];
scrape_interval = "1m";
}

{
job_name = "garage";
static_configs =
[{ targets = [ "${hosts.omnibus.config.networking.hostName}:3903" ]; }];
}
];
}
1 change: 1 addition & 0 deletions hosts/omnibus/configuration.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
profiles.users.proxmox
profiles.databases.postgresql.default
profiles.services.atticd.default
profiles.services.garage.default
] ++ [ ./hardware-configuration.nix ./disk-config.nix ];

boot.loader.grub.devices =
Expand Down
73 changes: 73 additions & 0 deletions modules/profiles/services/garage/default.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{ config, pkgs, ... }: {
sops.secrets = {
garage_rpc_secret = {
format = "yaml";
sopsFile = ./secrets.yml;
mode = "0600";
owner = config.users.users.garage.name;
};

garage_admin_token = {
format = "yaml";
sopsFile = ./secrets.yml;
mode = "0600";
owner = config.users.users.garage.name;
};
};

users = {
users.garage = {
group = config.users.groups.garage.name;
isSystemUser = true;
};

groups.garage = { };
};

systemd.tmpfiles.rules = [
"d '${config.services.garage.settings.data_dir}' 0777 ${config.users.users.garage.name} ${config.users.groups.garage.name} - -"
];

systemd.services.garage = {
serviceConfig = {
ReadWriteDirectories = [ config.services.garage.settings.data_dir ];
DynamicUser = false;
User = config.users.users.garage.name;
Group = config.users.groups.garage.name;
};
};

services.garage = {
enable = true;
package = pkgs.garage_1_0_1;
settings = {
metadata_dir = "/var/lib/garage/meta";
data_dir = "/data/files/services/garage";
db_engine = "sqlite";

replication_factor = 1;

rpc_bind_addr = "0.0.0.0:3901";
rpc_secret_file = config.sops.secrets.garage_rpc_secret.path;

s3_api = {
s3_region = "garage";
api_bind_addr = "0.0.0.0:3900";
root_domain = ".s3.garage.e10.camp";
};

s3_web = {
bind_addr = "0.0.0.0:3902";
root_domain = ".web.garage.e10.camp";
index = "index.html";
};

admin = {
api_bind_addr = "0.0.0.0:3903";
admin_token_file = config.sops.secrets.garage_admin_token.path;
};
};
};

networking.firewall = { allowedTCPPorts = [ 3900 3901 3902 3903 ]; };
}
95 changes: 95 additions & 0 deletions modules/profiles/services/garage/secrets.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
garage_rpc_secret: ENC[AES256_GCM,data:X1TE3Jr1HFGLgPvoejXRkLIMqe/w86YF1XhiHsd7a6Jzn4UIfo5JTKTvMICk3cK76RfekOrTdL2fIlMFK28AQQ==,iv:rDBFiezw7wAHoel315cUQwIRBNaQfnJah0ioom49SeE=,tag:FytY9BuHatFMMOcMPK78zA==,type:str]
garage_admin_token: ENC[AES256_GCM,data:pL4KYCljGpXlQ1AhLwcugIglTNb/pSbP1MaaegrM3O1+Mi/F4tG/E8X+/+qvV6kDP7dA6aly1GczKkfhqkuePw==,iv:cPED05pTV2mF+gUFihMXes4Q84CNjd+6SNvWcH/9Qkw=,tag:iC6ImJn/wnokF3E3dbopSg==,type:str]
garage_metrics_token: ENC[AES256_GCM,data:GLjaX0hfSTkVaheSStn80AI6XYr3EG5aGRKZFt06ojWebBAI6gcrEM0Sc+1YTs+dstv62qZDdea9gq351k6CJQ==,iv:MT5WLiZLBlf3XUR1gX8JCC5ZmytJIrjw5zg09BnFQIM=,tag:IZaHua9TWrb4DJEFbeSgTg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURXJKZDRNOGsrOEc3bkt1
aEJiVlFNMHd3L0REY29MeFF4YzdZOE5ENmhRCldyK2JSKzhsWGVySzZRSnZZZlBS
QzdBK3liT21uWWoxZ3JvMjhiTEFlT0UKLS0tIGEwMkREaGZQd29SQ3ZOaDRteHBS
M01aUFpkbTltNnU2NFpCUDdSYmZiNzAKT2lj4AoRAlZQLSnsKogzPrcUhES+28jx
jKdPoyFe6959ARw62hMNPnxKW7cMCk6gqO94DxHWFpzfq9hY28Wj2Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age17lsd78hka8rmuvmmx6d03cqjl2h55lsvrnzdfq0ge4acujf6nffswdwvr0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNjNBNi9PVVJBOTZCQ0lI
WGdjYnpIR3k4N1phaWtjY0tSRGdZMlpOT1ZFClpEajVLQ2RLb0FhZDhoa1NPdlpo
STcyb01Dbk4wd0VWUTdzbDNZRjhDKzgKLS0tIDFJdkNVeGp4UnVlVW1xM0pEbEtB
Y2U4dEJDQVBDQ1hXMm40VksrWDNCT1UKOKTUHrv0ieJxGQ4abeH/6VwxwDUwbjVA
MN82wNjwnRtbMIrV+dIwOlrSY+Ve3ffoN4bH/3ErGBvThXqUXnrm7g==
-----END AGE ENCRYPTED FILE-----
- recipient: age10jmr8lvn5wmxv6w0lk3vapawljnqfvws095ale94mthcgxueza9sscqq3h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRXJBdnFpaFIvUktrRm1Q
ODFRZ0xic2tjMVpaQm90SWo2UWFPaHl5K3k0CmVWMFVrQXJhVnY3QkIycHBYRXgr
dG1oL0ZTWXhZQVlSaXlDL3pMdTlncncKLS0tIGtRWndxN0gybUJZaXk4VzhmSWxP
Zkc1VjFNSHdHck9aZzhHYmJpRmEwZUEK9otbokxLcfLicFdr/9PEMbiUpVOxmJHD
0YuMl2vWIyxfCkYys0k4mHHDhwEm2Slc77dvQAnldhfmCjEhmlSNvQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweWJhU0ZIMEg4dG5ORUlr
TmdRUFFvbmpSa2l5YmNlQnltOFdodXdjZW5jCkJNamhjZzRnNmllMm5EWGxJQyt2
VEVVRDRVTVpqUWZTbDhyL09JdU8ydDgKLS0tIG1lRW9ZTXVDSjNYZkxDRjdzTExm
d0lRcTU4ek1YTzVKWnNJMCtUUUVteU0KjbDRFbh/AmYZ6+U9adzoPY609RqRs/DF
7dyvJx3zhQvP6veutlUWQ0/zDTOcs3mEd2YaIGyfYXy5pQBFOuY/sA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bWFONVp4bnEwRVZqL1VZ
RGZST1g5bWVyVEJZT0dZcnJHQTE2TDYwQUdFCnFWc0czM2s4RDBWTVdWN1QyaFZJ
ajVaL0pmMWJBa1dQNWhDdTlIUHhqS3MKLS0tIDZJL0VTRmc1T1gwaENkTC9VRkJI
TDJUS05yTGtKdHZBUTBCV2pPOGczZUUKBNwDfDnw9ptpIwj2ySIxnlbIjdtfziL0
oYKXB1chGw5tU1UFEerJxwaBZPC06jxbQgT3UpU8j1yszjvb57K1Mw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUXorcTJjNzVQVldnaHBX
OEVBZFdYaG80S2gwWjVCSW4vc3lkZWhxY0M0CnhOM1A5UU5jMW5lWVRkOC93V1Iz
Uk93akluYTVLM25WV0VPSHJlWTlWMW8KLS0tIGs2aHdicWtSQkcyUlVyd1YrWmRt
aGN0UFNmcDdDTU84Z3FFYUdDM25scWMKitYEA3ICgo4Yfs/FtEv9qc0PHhExWfUn
alPV0hhx/32xexG7SzwlUWXcRFMLe/dm3H4iIqK/HP/dulyNV5I5xg==
-----END AGE ENCRYPTED FILE-----
- recipient: age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBazZCNm1QL0R2Szk5UWxE
QUt3aVo2WlNxcHlvRmNFODhVZTI4L3lCUGtFCm9VL0Jwbk5lK3hCQ29uL1JhMTBO
eWZFd2xic1ZicGJER05xV011LzlSUTgKLS0tIElleFhMK3hFNHNsci90STljb1ZV
VnRiQ1lXMWxXNU4rcHRtT1NNeHNBM3MKCY4XbcEoff40BfCa3DNebSEjQbTpEdkt
qLKM99FFvLqrgzyEicUh+RY+bsRlGGpCu0hT5Or2KN2C40lMyeeZNg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWVZhMUdnemNsVldYR3Fn
SnlqZFdkbzNDc2dSZnVkQWVPaTJiZmhBOXdRCmYzY3pBbmJZT0t6dSs3SWxxejRZ
S3kwLzNyQ05SMVV3TDVKN0JkQ3N2ZzgKLS0tIGVGakQ4VmhXUkhPb09OL1cxN0hU
N1dSeXZWd2daaitzdHNvNitwUlBxQXcKPlqO8mCuugG+PdKI5+h1tzKw+/xyhLBT
5tp4jER1Jl/eC4gcxkb4BuGv04PCcdYYmxDRE4ujRX8ujjSd1x6Gqw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a4r3d5m0eu94vwsrse83k09fgclcfmthkz93p6h0m5vqyptq2yxswptzjf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMnJ1NGtIbXJzcHBOZ0hu
cFU3WkFMUXJKUTBSQ2E3eTYzZ1NWeGJtY25NCkVqVktLb0plcDNyclMvekE3eVU3
dWRQUGpCZ3FoUnJvbTdEYnM4dHpmWDQKLS0tIDBoNVZkdnJYd0JtY0JaY3JUMExK
aThUcDVEUGZUU1hvcGZkb0FKMHUyKzQKTtQq0d+Vw2VFmXbxW4vQrv5bmEoGzqCr
cPyuBjJpzX/dONXdgkW304zZ48/zE/Kw1scH5wkSaUrV0PV0LfVKSg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-06T22:17:29Z"
mac: ENC[AES256_GCM,data:WmYHfLeHEVNiDL+BDG7jO/vqtci8llcJDEmikq929xuMfCRMLn6EMIrKj4ImxXrPy69l2+rdLQbnpQEQqDhlnad2xEkEjejaMPRH3NsUwwOEncKi6JsuVHAsmKZnMbxX40kgubKK4g+U3tW4nbMpLvtS8SEURAqwtpjNqBWBxuI=,iv:5mC45BAHTYiz54uJ8oxZ1m+6QQi6px2U8BDCabgLFV4=,tag:eVEtMnC2TIIVfDt7YZFCZQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

0 comments on commit fe3dda9

Please sign in to comment.